8.12

8.13

1 - general

1.1

Q:
What is that strange, evil blue being in the NoScript logo?
A:
It is Jesse the JavaScript Worm, an extra-dimensional menace
trapped by NoScript. He's said to be the evil cousin of Trogdor,
but I swear by the Flying Spaghetti Monster I did not know anything about
StrongBad and his dragon when I designed NoScript logo ;)

1.2

Q:
Can GreaseMonkey work with NoScript?
A:
Yes, it can.
Some GreaseMonkey user scripts just work only on pages where JavaScript is allowed,
but most of them will work anyway.
For instance, if you're a Mozillazine forum user, you may want to install the GreaseMonkey script
featured in this FAQ, making your life easier if you prefer to keep
JavaScript off on message boards (wise choice, BTW).

1.3

Q:
Can FlashBlock work with NoScript?
A:
FlashBlock will work on pages where JavaScript is allowed.
This is a Firefox limitation, and there's an open bug
about it, but it's unlikely it will be fixed any time soon, because of its security implications.
Obviously enough, it would be more useful blocking Flash on sites you don't trust.
Good news: you can block Flash using NoScript itself!

1.4

Q:
Can adblockers work with NoScript?
A:
Even if NoScript does block many advertisements as a side effect,
its main focus is on security, hence it misses some fine-grained controls over ads delivery
which you can find in proper adblocking products.
On the other hand, NoScript provides unique protection features against Web-based attacks, such as XSS or Clickjacking, and
a high level of reliability, which are not available in adblockers.
Therefore NoScript and adblockers, such as Adblock Plus or uBlock, complement each other.
You can use them together for a secure and quiet browsing.

1.5

Q:
What websites are in the default whitelist and why?
A:
If you're a security-minded user, you probably want to build your own customized whitelist
suiting your needs and keep it as short as you can.
Therefore, when you install NoScript for the first time, you've got a very short default whitelist of sites you can
trust:

chrome:
It can't be removed because it is the privileged pseudo-protocol
used by Firefox internal scripts: disabling it would prevent the browser itself from working.

about:xyz, moz-safe-about:, resource:
A bunch of internal pseudo URLs. They can't be removed because they help your browser to work as expected.

blob:, mediasource:
Internal pseudo URLs identifying content generated by a script. They can't be removed because if you have these on a page, you already allowed the script generating them, so no point treating them separately.

about:pocket*
Internal URLs of the Pocket service, distributed as part of Firefox.

addons.mozilla.org and mozilla.net
The add-ons Mozilla website and the domain serving its static content for performance reasons. You probably installed NoScript and any other extension you've got from there.
Also, they are the same people who made your browser - you trust these guys, don't you?

noscript.net
You just installed NoScript on your system, running with the privileges of your web browser.
If you don't trust it, you've got a much bigger problem than JavaScript on its website (strictly HTTPS) ;)

All these sites have been added to enable JavaScript on the most popular AJAX-based webmail services "out of the box".
This way, even if some users installs NoScript without understanding what they're doing,
and they've got no idea about
how NoScript works, they can still ask for help by email.

ajax.aspnetcdn.com bootstrapcdn.com code.jquery.com yandex.st tinymce.cachefly.net
CDNs providing common, well known and verified JavaScript libraries and frameworks to popular websites.

Obviously, if any of the entries above (except chrome: and some about:xyz ones) bothers you for any reason,
you can delete it at any time by using either NoScript Options|Whitelist|Remove or
the regular Forbid commands.

1.6

Q:
What is that weird sound that I hear when I open a web page?
A:
This is a sound that Markus kindly offered me while suggesting to provide
audio feedback notifying when pages containing <script> tags
are opened. I believe it's a wise suggestion, since I've heard of people who
installed NoScript and after that were surprised to find some sites not working
anymore: at least they would be reminded that there's a nasty little extension doing its work :-)
On the other hand, many people seem not to like this distinctive toilet cover sound that much ;-)
Of course, you can disable it whenever you want changing
NoScript Options|Notifications options.
1.0.7 version and above use a more discreet "Zap" sound and an alternate standard "Popup blocker" style notification (Firefox only).

1.7

Q:
Have I got to disable JavaScript from Firefox options to browse safely with NoScript?
A:
You must not disable JavaScript in Firefox! NoScript will allow/forbid scripts, but they have
to be kept enabled by default, as it almost always is.
On Firefox 24 or above this is a hidden about:config preference
(javascript.enabled) which must preserve its default true value.
On older Firefox versions only (23 or below) you may want to check that
Tools|Options|Content|Enable JavaScript* option is still checked (JavaScript enabled),
otherwise JavaScript is disabled everywhere even if allowed by NoScript.

*Under Preferences on Mac OS X, Edit|Preferences on Linux.

1.8

Q:
Have I got to disable Java and/or Plugins from Firefox options to browse safely with NoScript ?
A:
You don't need to: NoScript can block Java™, Flash® and other plugins.

1.9

Q:
Why can I sometimes see about:blank and/or wyciwyg: entries in my NoScript menu? What scripts are causing this?
A: about:blank is the common URL designating empty (newly created) web documents.
A script can "live" there only if it has been injected (with document.write() or DOM manipulation, for instance) by another script which must have its own permissions to run.
It usually happens when a master page creates (or statically contains) an empty sub-frame (automatically addressed as about:blank) and then populates it using scripting.
Hence, if the master page is not allowed, no script can be placed inside the about:blank empty page and its "allowed" privileges will be void.
Given the above, risks in keeping about:blank allowed should be very low, if any.
Moreover, some Firefox extensions need it to be allowed for scripting in order to work.
Sometimes, especially on partially allowed sites, you may see also a wyciwyg: entry. It stands for "What You Cache Is What You Get",
and identifies pages whose content is generated by JavaScript code through functions like document.write().
If you can see such an entry, you already allowed the script generating it,
hence the above about:blank trust discussion applies to this situation as well.

1.10

Q:
Why should I allow JavaScript, Java, Flash and plugin execution only for trusted sites?
A: JavaScript,
Java and
Flash,
even being very different technologies, do have one thing in common: they execute on your computer code coming from a remote site.
All the three implement some kind of sandbox model, limiting the activities remote code can perform:
e.g., sandboxed code shouldn't read/write your local hard disk nor interact
with the underlying operating system or external applications.
Even if the sandboxes were bullet proof (not the case, read below) and even if you or your operating system wrap the whole browser with another sandbox
(e.g. IE7+ on Vista or Sandboxie),
the mere ability of running sandboxed code inside the browser can be exploited for malicious purposes,
e.g. to steal important information you store or enter on the web (credit card numbers, email credentials and so on)
or to "impersonate" you, e.g. in fake financial transactions, launching "cloud" attacks like
Cross Site Scripting (XSS) or CSRF,
with no need for escaping your browser or gaining privileges higher than a normal web page.
This alone is enough reason to allow scripting on trusted sites only.
Moreover, many security exploits are aimed to achieve a "privilege escalation",
i.e. exploiting an implementation error of the sandbox to acquire greater privileges and
perform nasty task like installing trojans, rootkits and keyloggers.
This kind of attack can target JavaScript, Java, Flash and other plugins as well:

JavaScript looks like a very precious tool for bad guys: most of the fixed
browser-exploitable vulnerabilities discovered to date were ineffective if JavaScript was disabled.
Maybe the reason is that scripts are easier to test and search for holes, even if you're a newbie hacker:
everybody and his brother believe to be a JavaScript programmer :P

Java
has a better history, at least in its "standard" incarnation, the Sun JVM.
There have been viruses, instead, written for the Microsoft JVM, like the ByteVerifier.Trojan.
Anyway, the Java security model allows signed applets (applets whose integrity and origin are guaranteed by a digital certificate)
to run with local privileges, i.e. just like they were regular installed applications.
This, combined with the fact there are always users who, in front of a warning like "This applet is signed with a bad/fake certificate.
You DON'T want to execute it! Are you so mad to execute it, instead? [Never!] [Nope] [No] [Maybe]",
will search, find and hit the "Yes" button, caused some bad reputation even to Firefox (notice that the article is quite lame, but as you can imagine had much echo).

Other plugins are harder to exploit, because most of them don't host a virtual machine like Java and Flash do,
but they can still expose holes like buffer overruns that may execute arbitrary code
when fed with a specially crafted content.
Recently we have seen several of these plugin vulnerabilities,
affecting Acrobat Reader, Quicktime, RealPlayer and other multimedia helpers.

Please notice that none of the aforementioned technologies is usually (95% of the time) affected by
publicly known and still unpatched exploitable problems,
but the point of NoScript is just this: preventing exploitation of even unknown yet security holes,
because when they are discovered it may be too late ;)
The most effective way is disabling the potential threat on untrusted sites.

1.11

Q:
What is a trusted site?
A: A "trusted site" is a site whose owner is well identifiable and reachable,
so I have someone to sue if he hosts malicious code which damages or steals my data.*
If a site qualifies as "trusted", there's no reason why I shouldn't allow JavaScript, Java or Flash. If some content is annoying, I can disable it with AdBlock.
What I'd like to stress here is that "trust" is not necessarily a technical matter.
Many online banking sites require JavaScript and/or Java, even in contexts where these technologies are absolutely useless and abused:
for more than 2 years I've been asking my bank to correct a very stupid JavaScript bug preventing login from working with Firefox.
I worked around this bug writing an ad hoc bookmarklet, but I'm not sure the average Joe user could.
So, should I trust their mediocre programmers for my security?
Anyway, if something nasty happens with my online bank account because it's unsafe, I'll sue them to death (or better, I'll let the world know) until they refund me.
So you may say "trustworthy" means "accountable".Starting with version 1.9.9.61, NoScript offers a "Site Info" page which can help you assess the trustworthiness
of any web site shown in your NoScript menu. You can access this service by middle-clicking or shift-clicking the relevant menu item.
If you're more on the technical side and you want to examine the JavaScript source code before allowing, you can help yourself with
JSView (unofficial).
Also, if you seek for assistance in the NoScript forum and you want to report the sites listed in your menu,
you can easily do it, with no need for typing them, by just right-clicking one item or the menu itself: this will copy the information in the
system clipboard for you to paste anywhere.
*
You may ask, what if site I really trust gets compromised?
Will I get infected as well because I've got it in my whitelist, ending to sue as you said?
No, you won't, most probably. When a respectable site gets compromised, 99.9% of the times malicious
scripts are still hosted on a different domain which is likely not in your whitelist, and gets just included
by the pages you trust. Since NoScript blocks 3rd party scripts which have not been explicitly whitelisted themselves,
you're still safe, with the additional benefit of an early warning :)

1.12

Q:
When I enable "JavaScript" globally, Java and Flash are enabled too. Is there a way to have
JavaScript enabled but keeping Java and Flash blocked until I click above the NoScript placeholder?
A:
Even if you trust JavaScript to be enabled everywhere (and you shouldn't), you can still use NoScript as an effective annoyance blocker.
To setup this "Annoyance Block" mode, you just need to:

Check the NoScript Options|Embeddings|Apply these restrictions to trusted sites as well
preference

This way, the main address of each site you visit will be temporarily allowed to run JavaScript
(you may still need to check 3rd party scripts, but they're usually ads and tracking stuff), while the content blocking
restrictions you setup for untrusted sites (NoScript Options|Advanced|Embeddings) will be applied everywhere.
Notice that this setup, even if useful in blocking annoyances and still safer than vanilla Firefox,
is considerably weaker from a security standpoint than the default NoScript configuration.

1.13

Q:
What do the different NoScript icons mean?
A:

- this means that scripts and plugin contents are blocked for the current site and its subframes.
Even if some of the 3rd party script sources imported by the page may be in your whitelist,
no code could run because the hosting documents are not enabled.

- this means the top level site is still forbidden
but some active subcontent pieces (either frames or plugin objects) are allowed: some code may be running,
but the page is likely not to work correctly yet because its main script source is still blocked.

- this means scripts are allowed for the top-level (main) document,
but some other active content or script sources imported by this page are not allowed yet.
This happens when there are multiple frames, or script elements linking code hosted on 3rd party hosts.
Since they're often unnecessary, the site is likely to work even in this "partially allowed" state.
Furthermore, in most cases when a site is compromised with JavaScript malware, the malicious code is hosted on external "shady" sites.
Even if you've previously allowed the top-level site, these external sites are still blocked and the attack fails anyway.

- this means
that all the script sources for the page are allowed but some embedded content (frames or plugin objects) is blocked.
You can check and allow the blocked content either by looking for yellow visual placeholders in the page or by examining the
Blocked Objects sub-menu.

-
this means that scripts are allowed for some URLs, and all the other ones are marked as untrusted.

- this means that script execution is allowed for the current site

-
this means that scripts are globally allowed (why did you decide to browse with low protection??!)

The number of detected <script> tags for current page is shown in a tooltip when you fly
over the icon with your mouse.
If the "S" inside the icon is white rather than blue
(),
0 script tags have been detected: this likely means you
don't need to enable JavaScript in that page at all.

2.2

Q:
So I've downloaded this XPI thing. I've never seen such a file type! What the hell am I supposed to do with this kind of file?
A:
Just drag and drop this file onto your browser window.
If it doesn't work, select the Tools|Add-Ons Manager menu item: the Add-ons Manager opens, select Extensions (on the left-hand side), then you can drag and drop your XPI file there.

2.3

Q:
How can I uninstall NoScript?
A:
Well, this is not exactly a frequently asked question, but nevertheless
someone (very few) actually wondered about it...
If you just prefer to restore Firefox's default (less safe) behavior of allowing JavaScript and plugins by default,
but you'd like to retain
Anti-XSS protection and the ability to selectively blacklist sites, you can just click the NoScript icon and select
"Allow Scripts Globally (dangerous)" command.
But if, for some imperscrutable reason, you really want to uninstall, you can proceed as follows:

If you're using Firefox, open the Extension Manager by selecting the Add-ons
item from the "hamburger menu" (formerly Tools|Add-ons) and choosing the Extensions tab.
Highlight the "NoScript" row and click the Uninstall button.
In the rare case it doesn't work, read next points.

Finally, if you installed NoScript into Netscape 7.x, well you're in trouble. Netscape 7.x is not a
supported browser
for NoScript. Actually, is not a supported browser at all. It's too much an old software, it's very flawed and if you're even a bit security
concerned you should get rid immediately of that archaeological item and install an up-to-date browser such as
Firefox. Anyway, an adventurous user reported he managed to uninstall NoScript from Netscape 7.x
this way:

Close your browser gracefully using the Quit or Exit menu (this is important to let it in a consistent, script-enabled state)

Use the search facility of your operative system to find all the files whose name begins with the "noscript" word.

2.4

Q:
Where's my NoScript configuration stored? How can I backup or migrate it? How can I reset it?
A:
Your NoScript configuration, including permissions (whitelist/blacklist) and other settings, is stored together with all your Firefox preferences,
inside your browser profile folder (prefs.js file). Whenever you backup your browser profile, you are saving the whole NoScript configuration as well.

If you want a copy of your whitelist alone as a text file, which you can transfer to other profiles or computers, you can use the
Export and Import commands from NoScript Options|Whitelist. In the same options tab you can remove some or all your whitelist entries.

If you want to backup your whole NoScript configuration and permissions, you can use the Export and Import buttons at the bottom of the Options dialog.

2.5

Q:
I don't like NoScript redirecting the browser on its release notes page every time I upgrade it. Is there any way to prevent this?
A:
First time you install NoScript and every time you upgrade it to a newer major version,
Firefox opens an additional tab containing the NoScript welcome page, where you can read the release notes,
the latest announcements and an introduction to the most important NoScript features (plus a link to this very FAQ...)
If you feel you don't need such heads up, you can disable this feature by clicking the NoScript icon, selecting
Options and unchecking "Display the release notes on update" in the "Notifications" tab.
Notice that if the above "fix" doesn't work or, worse, you keep being redirected on the welcome page every time you restart Firefox,
chances are there's something (like a buggy extension) preventing your preferences from being saved: you may need to
follow this advice, then.

2.6

Q:
Yes, I love NoScript,
but releasing new versions every few days is getting tedious, can't you limit updates to once a month?!
A:
NoScript is a security tool, hence its users expect it to take every effort to keep their browsing experience
as safe as it can be, always.
This means that every time a new browser weakness is reported, a new kind of web threat is discovered or a bug is found in NoScript itself
(hey, no software is perfect!), NoScript is immediately updated to react as needed.

Notice that almost daily "RC" builds for beta testers, containing cosmetic bug fixes or experimental features are available from
https://noscript.net/getit#devel and from the
Beta Channel on AMO,
but the updates pushed automatically through the "regular" AMO channel
(for users who are not beta-testers) every 7-10 days are only the "stable" versions,
containing either important security features or major functionality additions.
If at a certain point you installed a "RC" version, but you no longer want to be on the Beta Channel, which gets updated almost daily,
just install the current release version from AMO.

At any rate, if you want automatic updates to be delivered with a lower frequency,
you can raise the extensions.update.intervalabout:config preference.
You could also disable NoScript automatic updates by creating a new
about:config preference named
extensions.{73a6fe31-595d-460b-a920-fcc0f8843232}.update.enabled and setting it to false.
Furthermore, if you want to completely turn off automatic updates and perform all your upgrades manually whenever you want, you
can simply set the extensions.update.enabledabout:config
preference to false.
For users of Firefox 2.x and 3.x, even more control over updates and other aspects of extension management is given by the excellent
MR Tech's Local Install Extension by Mel Reyes.
Even if you disabled automatic updates, you could still catch up with new releases by subscribing the
NoScript changelog feed.
Finally, if you're fine with automatic updates but you're just bothered by the welcome page displaying NoScript's release notes, you may
want to read FAQ 2.5.

2.7

Q:
I've just upgraded from Firefox 3.6 or Firefox 28, and NoScript icon disappeared or is not where it used to be anymore. What's going on?
A:
Firefox 4 has removed the so called "Status Bar", i.e. the panel on the bottom of the browser window where most add-ons
(including NoScript) used to place their icons. In place of the Status Bar, Firefox 4 introduced the "Add-on Bar", which is a regular toolbar, just placed at the bottom but
hidden by default.
For this reason, when you upgrade to Firefox 4 or install NoScript in Firefox 4 and above,
NoScript checks whether the Add-on Bar is hidden or not:
if the Add-on Bar is hidden, NoScript's icon gets moved up to the navigation bar, near the address box, at the top of Firefox's window;
otherwise it stays at the bottom, inside the Add-on Bar.
At any rate, you can drag NoScript's icon wherever you prefer, after right-clicking on any toolbar and selecting "Customize".

Firefox 29 and above have removed the add-on bar as well. If your NoScript icon was on the add-on bar, it probably got put either on the Navigation bar or somewhere under the '≡' button on the right of the toolbar.

3 - troubleshooting

3.1

Q:
Since I installed NoScript some Firefox crashes happen. What can I do?
A:
Upgrade to most recent stable Firefox version. Firefox up to 1.0.4 was affected by the
2 years old Bug 217967 which used to randomly crash the browser after security permissions have been changed.
I fixed it with a patch that was landed in the Mozilla source tree on 30 June 2005, hence Firefox 1.0.5 and above doesn't crash anymore with NoScript :)
Notice that other crashes happening in buggy plugins as soon as you allow JS on a page, may be wrongly perceived as NoScript related even if they're not.
The most commonly reported are caused by Windows Media Player plugin, by the Yahoo Application State plugin or by the VLC plugin.
The latter is installed by VLC, a cool audio/video streaming application,
but notwithstanding the VLC coolness (I'm an enthusiast myself), this plugin is behind "Firefox Sudden Death" phenomena (i.e. Firefox abruptly disappear with no error message).
To cure this disease, you need to remove the npvlc.dll from your Firefox plugins folder.

3.2

Q:
I cannot find the NoScript toolbar button. Where is it?
A:
Right+click on any toolbar and choose the "Customize" menu item.
A window will appear where you'll find the NoScript button: just drag and drop it on the toolbar you prefer.

3.3

Q:
I can't use hotmail (gmail, name.your.mail) / ebay / my online bank account. What's happening?
A:
Those services use JavaScript intensively also in subframes and dialogs which not necessarily
have the same URL as the login page. Easiest (even if not safest) thing you can do to fix
your problem is right-clicking on the page, opening the NoScript menu and Allowing the base domain (i.e. hotmail.com or google.com) rather than the full URL.
The really safest behaviour would be right-clicking on every page which doesn't work and allow one by one
those address entries which are marked as forbidden, starting with the ones apparently more connected with the main site and stopping when the page works.
Some common settings:

3.4

Q:
I met a page where a movie clip is supposed to be played, but I get a popup saying that
the Windows Media Player (WMP) plugin has performed an illegal operation. If I uninstall NoScript,
this doesn't happen. What's going on?
A:
This is (was?) a Windows Media Player (WMP) plugin bug, not a NoScript problem.
On some pages, WMP crashes if JavaScript is not enabled.
If you uninstall NoScript but disable JavaScript using the built-in Firefox interface, you get
the very same error. A work-around is keeping WMP disabled on untrusted sites, using
NoScript Options|Advanced|Untrusted|Forbid other plugins.
Good news is that this bug seems to be fixed in the
latest version of the WMP plugin for Firefox, so you should just need to upgrade.

3.5

Q:
I've got a little trouble installing the extension using Mozilla Suite (or SeaMonkey 1.x).
After downloading the install starts, but I get one of the following messages:
- You probably don't have appropriate permissions (write access to your profile or chrome directory).
- WARNING: PARTIAL INSTALLATIONA:
Due to a limitation in Mozilla Suite and SeaMonkey (which lacks the true extensions support introduced with Firefox),
installing an addon which delivers its own XPCOM components (such as FlashGot, NoScript, FoxyTunes, ColorZilla and many others) can be a bit cumbersome.
You need write access to the Mozilla/SeaMonkey installation directory when you install the extension.
You can either:

Start SeaMonkey as root/Administrator and install the package.
When you restart SeaMonkey from your usual account, NoScript will be available to your unprivileged profile as well.

Alternatively, you can install a local copy of mozilla in your home directory and use it.
In this case, you can install the extension just once as an unprivileged user because you have write access to the install directory.

Firefox doesn't suffer of this problem because XPCOM components are installed in the profile directory (where you always have write permissions).
SeaMonkey versions 2 and above (AKA "Suite Runner") borrow a similar extensions management system.

3.6

Q:
I've just upgraded to or reinstalled Mozilla Suite / SeaMonkey 1.x, and NoScript has ceased working. I can still see icons and all, but when I click they do nothing!
A:
Due to a limitation in Mozilla Suite and SeaMonkey 1.x (both lack true extensions support, introduced with Firefox),
addons delivering their own XPCOM components (such as FlashGot, NoScript, FoxyTunes, ColorZilla and many others) must be reinstalled every time you install/upgrade your browser.
Just reinstall NoScript as an administrator or root if needed (see FAQ 3.5 if you're wondering why) and everything should be fine again.

(That answer does not apply to SeaMonkey 2.x and above. If you are running a current version of SeaMonkey, scan your system for malware; if that comes out clean, you probably have an extension conflict, so try Standard Diagnostic to isolate and correct the cause.)

3.7

Q:
I've got troubles with Yahoo / Yahoo! Mail, but they go away when I disable NoScript or allow scripts globally.
What should I do to selectively allow Yahoo?
A: You just need to allow the following entries from the NoScript contextual menu:

yahoo.com

yimg.com

Advanced users may want to be more restrictive than this, but the above will catch all the Yahoo services.
Yahoo! Mail attachments:
Yahoo! launches
attachment downloads in an invisible frame from a different domain (usually an IP starting with "216.").
Therefore, if the file is of a kind handled by Firefox plugins (e.g. PDF, MP3 or WMV),
it will get blocked by NoScript. After the first download fails, please check your NoScript menu and select
the Allow 216.xxx.yyy.zzz command you'll find there. Next Yahoo! Mail attachment download will just work.
Notice that if you've got NoScript Options|Embeddings|Apply these restrictions to trusted sites as well checked
(not the default), you'll need to use Blockable Objects|Temporarily allow *@http://216.xxx.yyy.zzz instead.

3.8

Q:
I am using Firefox 27 (or below) and I cannot copy and paste formatted text in a rich text field (e.g. my webmail composer or my CMS editor).
The suggested remedies (setting some capability.policy preference or using the AllowClipboard Helper extension) do not work. Is this caused by NoScript?
A:
Those "suggested remedies" are not compatible with NoScript, but enabling clipboard operations on trusted sites is even simpler: just open NoScript Options|Advanced and check the Allow rich text copy and paste from external clipboard
preference in the "Additional permissions for trusted sites" section.
Don't forget to uninstall the AllowClipboard Helper extension and remove the clipboard-related capability.policy entries
from your preferences files.

3.9

Q:
I've got some images on my hard disk which need to be loaded
inside a remote web page (a common online game setup).
As long as NoScript is active, I cannot see my images. What can I do, other than disabling NoScript?
A:
Just check NoScript Options|Advanced|Allow local links.

3.10

Q:
I added good-site.com to the black list (Untrusted|Mark as Untrusted good-site.com), but it was an error.
How can I revert my choice?
A:
Just reopen the Untrusted menu (on the same page as before) and you'll find the Temporarily allow good-site.com command there.

3.11

Q:
One of the NoScript keyboard shortcuts overrides a shortcut used by another important extension of mine (e.g. Web Developer). What can I do?
A:
NoScript keyboard shortcuts have been carefully chosen not to overlap any Firefox built-in function (it's harder than it looks) and also not
to impact with any extension likely to be used by non-technical people.
Notwithstanding, there are literally thousands of Firefox add-ons out there, hence a collision is still possible.
If you see this happening, you can easily reconfigure NoScript's keyboard shortcuts by editing the noscript.keys.* preferences in
about:config.
Defaults are:

noscript.keys.toggle: ctrl shift VK_BACK_SLASH.|

noscript.keys.ui: ctrl shift S

noscript.keys.tempAllowPage: [no default keyboard shortcut]

noscript.keys.revokeTemp: [no default keyboard shortcut]

As you can see, shortcuts are specified as a combination of some modifiers ("ctrl", "shift", "alt") followed by one character (e.g. "A", "1", "Z") or
one virtual keycode (e.g. "VK_BACK_SPACE", "VK_X", "VK_Y"), all space separated.
You can even specify a pair character/virtual keycode (separated by a dot character) to cope with keyboard glitches on different systems
(useful if you use a roaming profile or a portable browser).
Virtual keycodes are listed below for your reference:

3.12

Q:
Since I installed NoScript, I've troubles with the ScrapBook extension. What can I do?
A:
As noticed by Mr. T. Logan Scott, the ScrapBook extensions needs (quite oddly) the file:// "protocol" to be
whitelisted in NoScript to correctly operate. So, if you absolutely need the ScrapBook extension and until ScrapBook
authors don't work-around this limitation, you have to Allow file://, either from the NoScript menu or the NoScript
Options Dialog.

3.13

Q:
Going to http://www.bloglines.com/myblogs and clicking 'Mark All Read' gives an error in the right panel.
A:
For that feature to work, allowing www.bloglines.com as you apparently did doesn't suffice.
You also need to add tm.ask.com to your whitelist.
Should other similar problems happen after that, add ask.com as well.

3.14

Q:
Why do recent NoScript versions prevent me from using XMLHttpRequest in the Firebug console on untrusted sites?
A:
Older versions of Firebug uses various hacks to allow JavaScript interactive execution for web developers in the "apparent" context of sites where
JavaScript is otherwise disabled (e.g. by NoScript).
Unfortunately one of these hacks, which allows XMLHttpRequest usage, doesn't work if the noscript.forbidDataabout:config preference is set to true.
Just toggle it to false and Firebug will fully work again.
Notice that this change doesn't imply any special security weakening, as long as XSS protection is kept enabled.

In current versions of Firebug, its console does not work on pages where JavaScript is disabled. You need to open the NoScript menu and (Temporarily) allow the main site for it to work.

3.15

Q:
Why do I find 127.0.0.1:1029 or localhost:1029 (the "1029" number may vary) in my NoScript menu on almost every page I visit?
A:
You're probably a personal firewall or a proxy injecting extra code inside your page.
An example is ZoneAlarm with its "Privacy Advisor" feature.
You may either disable this feature or use jolly port matching (i.e. http://127.0.0.1:0)
to whitelist all those random instances.

3.16

Q:
I get an "Unresponsive Script" message from Firefox on some page or on startup. If I disable NoScript, it doesn't happen. What does it mean?
A:
The message you're getting is usually related to poor coded JavaScript in web pages.
Under normal circumstances, you should get far less messages like that since you install NoScript (by logic).
However, since Firefox extensions are written in JavaScript too and NoScript doesn't block scripts living outside web pages
(i.e. the browser components, included extensions), if one of them misbehaves you get that message as well.
Now the tricky part: some extensions don't like JavaScript being disabled for web pages. Most of them simply refuse to work, but
a very few enter infinite loops and cause the "Unresponsive Script" message to pop up.
One known offender is the Background Music (BGM) extension.
If you've got it, you may need to choose: music or security?
Otherwise, please use the
Standard Diagnostic
procedure to find the culprit.
If you can't isolate a misbehaving extension, you may want to
follow the other advices here.

3.17

Q:
Some pages display the little NoScript icon with one or more links on its left side.
I thought this could be disabled by unchecking "Show placeholder", but it's still shown...
How do I make it go away?
A:
That's not the ordinary plugin placeholder, but JavaScript links auto-detected on an otherwise empty page or sub-frame
where JavaScript is disabled.
If you don't want to see that anymore, set the noscript.jsredirectIgnoreabout:config preference to true.
Additionally, any invisible link or button is forced to be displayed, unless at least one navigational element is present.
The rationale behind both features is making basic navigation possible on pages which don't degrade gracefully without JavaScript.

3.18

Q:
Galleries at smugmug.com are not working even though I whitelisted everything here. What's going on?
A:
Please upgrade to latest development build.
If the problem persist, please report it.

3.19

3.20

Q:
Some Ubiquity features are not working when NoScript is installed. What can I do?
A:
Most Ubiquity features work just fine with NoScript out of the box. However some Ubiquity actions depend on certain web sites to be allowed.
The map command, for instance, requires you to add the following sites to your whitelist:

about:ubiquity

mozilla.com

google.com (they're Google Maps, after all...)

j.maxmind.com (Ubiquity imports a geoip script from there)

In some configurations, allowing file:// may be needed too.

3.21

Q:
I use a NoScript version between 1.9.2.3 and 1.9.2.5 (inclusive). Why do I see ads on the NoScript developer's sites even if I've got AdBlock Plus + EasyList?
A:
tl;dr If you don't want that, upgrade your very old NoScript to the latest compatible version.

Starting with version 1.9.2.3, NoScript configuresd a special AdBlock Plus filterset called "NoScript development support filterset",
whitelisting the noscript.net, flashgot.net, informaction.com and hackademix.net web sites, after they were
broken by a virulent attack from EasyList
which crippled even essential features such as links for direct downloads and development builds.
While EasyList finally mitigated its filters after this whitelist has been publicly released,
keeping the filterset is still useful both to prevent such a breakage from happening again and to give users a chance to support NoScript development
if they don't mind seeing ads on these specific sites.
Should you prefer not to support NoScript development this way, you can just open the AdBlock Plus preferences
and disable the aforementioned filterset with one click.
Since version 1.9.2.5 (released May the 1st 2009), NoScript asks you once beforehand if you want to keep/install or delete the filterset permanently.
Version 1.9.2.6 (released May the 1st 2009) automatically and permanently removes the filter on startup, no questions asked.

3.22

Q:
Suddenly my "Allow ..." commands are grey and disabled. I cannot whitelist any domain! What's going on?
A:
Very likely you've accidentally modified your NoScript Options|Advanced|HTTPS|Behavior|Forbid
active web content unless it comes from a secure (HTTPS) connection value.
It should never be changed unless you know exactly what you're doing. Just reset it to "Never"
(its default value) and everything should be fine again.

3.23

Q:
How can I make the Minimap extension work with NoScript installed?
A:
Opening Minimap's sidebar and playing with NoScript's Recently blocked sites submenu, you'll find that you need to

Allow stcstm.com

Allow google.com (if not already allowed, should be by default)

Allow gstatic.com (if not already allowed, should be by default)

3.24

Q:
Some Google Toolbar features don't work with NoScript, what can I do?
A:
You need to Allow file://, either manually (NoScript Options|Whitelist)
or from the Recently Blocked Sites submenu.

3.25

Q:
I apparently cannot enable any site: all the "Allow" menu items are grayed out. What's happening?
A:
You likely changed your NoScript Options|Advanced|Forbid active web content unless it comes from a secure (HTTPS) connection
setting to "Always". Just reset it to its original value, "Never".

3.26

Q:
All the "Allow..." commands are gone from NoScript's menu: I can see only "Temporary allow..." items. What's going on?
A:
If you're using Private Browsing, that's by design, in order to reduce your chances of leaving unwanted permanent traces of your navigation habits.
If you really want to permanently change site permissions from NoScript's menu even if you're in private mode, you need to check the
Permanent "Allow" commands in private windows menu option.

4 - XSS

4.1

Q:
What is XSS and why should I care?
A:
XSS stands for Cross site scripting,
a web application vulnerability which allows the attacker to inject malicious code from a certain site into a different site,
and can be used by an attacker to "impersonate" a different user or to steal valuable information.
This kind of vulnerability has clear implications for NoScript users, because if a whitelisted site is vulnerable to a XSS attack,
the attacker can actually run JavaScript code injecting it into the vulnerable site and thus bypassing the whitelist.
That's why NoScript features unique and very effective Anti-XSS protection functionality, which
prevents untrusted sites from injecting JavaScript code into a trusted web page via reflective XSS and makes NoScript's whitelist bullet-proof.

4.2

Q:
Looks like the Anti-XSS feature causes problems with URLs containing some characters such as <, ' (single quote) or " (double quotes).
What's happening?
A:
If you're following a link contained in an not trusted page and leading to a trusted page,
this behaviour is expected by design.
The reason is that those characters can be used to inject malicious code in the destination page, and since the source site is not trusted, "extreme" measures are taken by default.
Possible work-arounds are:

Removing the target site from your whitelist. This is usually the best and safest option,
unless the target site absolutely mandates JavaScript, and is also the wisest choice especially for
sites containing user-generated content, e.g. message boards or Wikipedia, because it prevents persistent XSS (also known as "Type 2").

Clicking the "Options" button and choosing the XSS|Unsafe Reload command from the contextual menu, in order to replay the suspicious request skipping sanitization.

(Temporarily) adding the source site to your whitelist. Of course, you should do this only if you (temporarily) trust it, and is
considerably less safe than #1 and #2*

Cross-site requests from a trusted site to a different trusted site are checked through the InjectionChecker engine, which is more accurate
and sanitizes only requests which contain conspicuous fragments of HTML or syntactically valid JavaScript.

4.3

Q:
Can I turn off Anti-XSS activity notifications?
A:
Yes, you can, just toggle the Noscript Options|Notifications|XSS preference.
Of course you will still able to monitor NoScript Anti-XSS activity log in the Browser Console (Firefox) or Error Console (SeaMonkey), and you will get an extra "XSS" menu inside the NoScript contextual menu whenever an XSS
attempt is detected, featuring all the actions usually accessed from the notification bar.

4.4

Q:
Can I bypass Anti-XSS filters for certain web pages?
A:
If you're a bit of the "geek" type, you know regular expressions and you're very confident the target web page is immune to XSS vulnerabilities,
you can tweak the NoScript Options|Advanced|XSS|Anti-XSS Protection Exceptions rules, i.e. a list of regular expressions (one on each line)
used to identify web addresses which you deem do not need to be protected against XSS.
For instance, the "advanced search" feature on Ebay uses a syntax which is very likely to form syntactically valid JavaScript,
and thus triggers the XSS filters.
If you use this feature often, you may want to copy this line at the bottom of your filter exceptions, paying attention not to add extra spaces:^http://[\w\-\.]*\bsearch[\w\-\.]*\.ebay\.(?:com|de|co\.uk)[\/\?]
Notice that "de"
and "co\.uk"
match german and british Ebay respectively:
you will need to add your own country code / top level domain if you
use a different non-US local Ebay site.

4.5

Q:
Can I turn off the Anti-XSS protection?
A:
Even if it's not recommended for daily usage, temporarily disabling the Anti-XSS protection may be useful, e.g. for testing purposes if you're a security researcher hunting for XSS vulnerabilities.
To do that, you just need to open NoScript Options|Advanced and toggle the cross-site restrictions preferences.

4.6

Q:
Why does NoScript block documents loaded from jar: URLs?
A: Notice: NoScript 2.0.9 and above removed this feature because the same protection is now available by means of
other more transparent countermeasures, both from Firefox >= 3.0 and from NoScript itself
As part of its anti-XSS protection, since version 1.1.7.8 NoScript prevents JAR resources from being loaded as documents:
loading documents from within JAR files brings a serious XSS risk on every site allowing JAR files
to be uploaded by users or, very common, allowing open redirects, e.g. Google. See
Beford's proof of concept exploiting Google,
the original GNUCITIZEN disclosure and bug 369814 for further references.
You can control JAR blocking from the NoScript Options|Advanced|JAR panel.
Notice that this feature doesn't depend on your whitelist, i.e. it works on every site, no
matter if you allowed it to run JavaScript or not.

4.7

Q:
Why are Flash applets originating from trusted sites (e.g. youtube.com movies) blocked if embedded on untrusted sites?
A: Flash-based XSS can be performed by embedding a Flash object from a trusted site inside an untrusted web page.
NoScript prevents this kind of attack by blocking plugins embedded on untrusted pages even if they ultimately come from trusted sites.
Of course, you can still activate those objects on demand without whitelisting the embedding page,
by simply clicking on the placeholder NoScript icon.
At any rate, if you still prefer trusted plugin content to be allowed on untrusted page, you can toggle the
noscript.forbidActiveContentParentTrustCheckabout:config preference to false.

4.8

Q:
How does IFrame blocking work and why is it disabled by default?
A: IFrame blocking is disabled by default
because in its early stages it used to break too much stuff, while disabling scripts and blocking objects,
combined with the anti-XSS protection,
actually prevents most of the IFRAME-based attacks you could imagine.
Anyway this feature has been tweaked and fine-tuned over time, and it should be much more usable now, especially after the Blocked objects
menu has been implemented offering an alternate enabling UI, handy when placeholders are not easily accessible.
Furthermore, since clickjacking became popular,
enabling it is probably a good idea.
Here's how IFRAME blocking works, once enabled from NoScript Options|Embeddings|Forbid IFRAMEs:

IFRAMEs embedded in untrusted pages are always blocked, unless they load content from the same site as their parent

IFRAMEs embedded in trusted pages are blocked if they try to load content from untrusted sites

If NoScript Options|Embeddings|Apply these restrictions to trusted sites too is checked, no IFRAME can be loaded unless it loads content from the same site as its parent

In every case, IFRAMEs loading content from the same site as their parent are allowed.*

When an IFRAME is blocked, you can see a clickable yellow placeholder which you can use either to examine its URL, save the document without opening it or activate it on the fly.

* if you want every iframe to be blocked, even if same-site with its parent, you can set the noscript.forbidIFramesContext about:config preference to 0 (zero)

5 - tips and tricks

5.1

Q:
I don't want to allow forums.mozillazine.org (ehy, after all is user-provided content, unsafe by design!).
Almost everything works, but the "quick reply" button fails.
Of course I can use the regular reply link or Temporarily allow, but when I forget it I lose my post and it's quite annoying.
What can I do?
A:
If you're a GreaseMonkey
user, you can install this User Script,
which provides also a few little goodies for Mozillazine posters.

5.2

Q:
When I change permissions, all the affected tabs/windows are reloaded, and sometimes this is annoying.
I know I could turn off automatic reloading from
NoScript Options|General, but can I disable it for background tabs/windows but keep it for the current tab only?
A:
Yes, you can: just check the "Reload the current tab only" option in NoScript Options|General, right under the automatic reload checkbox.
You have even more control of when NoScript should automatically reload pages in about:config. Here's a list of all the reload-related noscript options:

noscript.autoReload.allTabs
if set to false, only the current tab is reloaded

noscript.autoReload.allTabsOnGlobal
if set to false (default), only the current tab is reloaded if you allow script globally

noscript.autoReload.allTabsOnPageAction
if set to false, only the current tab is reloaded when you use bulk permission change commands (e.g. Allow all on this page)

5.3

Q:
Movies are not working on the YouTube site.
Why does it say I must enable JavaScript and Flash even if I already allowed youtube.com?
A:
YouTube has split its content across two domains, likely for performance reasons.
Therefore you must allow both youtube.comandytimg.com (you're probably missing the latter).

5.4

Q:
I'm worried by the fact some sites require the akamai.net domain to be whitelisted. I'd prefer not to allow it everywhere,
but only on some parent sites I trust. How can I do it?
A:
You can use ABE to this effect, by adding the following rule to your
NoScript Options|Advanced|ABE USER ruleset:

Notice the leading dot "." before domains, which is syntactic sugar for site.com *.site.com, i.e. a domain and its subdomains.
It should also be noted that, independently from this rule, external scripts are never loaded from pages which don't belong to a
whitelisted site, hence no malicious website you didn't explicitly whitelisted could execute scripts from akamai.net anyway.

5.5

Q:
Why doesn't the NoScript menu disappear automatically after I allow/forbid one site?
A:
NoScript 1.8.4 introduced a long awaited enhancement for allowing multiple script sources on the same page at once, called the "sticky" UI.
Now if you open the NoScript menu by left clicking on a NoScript icon, or using the ctrl+shift+S
keyboard shortcut, you get the new "sticky" behavior, i.e. you can change multiple permissions without
closing the menu and causing a page refresh. When you're done and ready for reload, you just click outside the menu or hit the Esc key.
You still get the old one-click/one-reload behavior when you open the menu by right clicking.
If you want the old behavior back for left clicks, just toggle the noscript.stickyUIabout:config preference to false.
You can toggle the noscript.stickyUI.onKeyboard preference too if you don't want the keyboard-triggered menu to be sticky.
Another setting you may be interested in is noscript.stickyUI.liveReload, which causes quick reloads to happen when you change
each single site even if the menu remains sticky (false by default).

5.6

Q:
Why do I sometimes need to reiterate the (Temporarily) allow all on this page command twice or more on the same page?
Doesn't "all" mean actually every single script?
A:
For security reasons, "all on this page" means every script source which has already been detected on the page and shown in the NoScript menu:
this way you can check in advance what you're whitelisting, even if you're doing it in a single move.
This means, on the other hand, that if a script you've just allowed now tries to dynamically
load another script from a different origin, not seen yet, this new load attempt will be blocked,
so you're given a chance to choose whether allowing it or not. In other words, you need to reiterate
Allow all on this page until no more "surprise" scripts surface after your command has been issued. If
you believe this is too much security for your needs, you can switch on the Advanced|Trusted|Cascade top document's permissions to 3rd party scripts option,
which will automatically allow all the (possibly nested) scripts on pages whose top document address is whitelisted.

6 - HTTPS

6.1

Q:
What's HTTPS and why is that important for NoScript users?
A: HTTPS stands for "Hypertext Transfer Protocol over Secure Socket Layer", and you can figure it as HTTP
(the protocol you usually retrieve web pages with) over a secure encrypted connection.
It is meant to protect you from eavesdroppers and man-in-the-middle attacks.
An important feature of HTTPS is that if a web site has a valid digital certificate for its identity, as verified automatically by your browser, you can be reasonably sure
it is the one it says to be. You can recognize HTTPS web sites by looking at their addresses, always beginning with "https://".
Firefox hilights sites having a valid certificate turning part of the location bar to blue or green.
Since NoScript security is largely based on domain names, a malicious party capable of spoofing a trusted site might work-around your whitelist.
This kind of spoofing may happen through a DNS Hijacking attack
or because you're using an untrusted proxy server, like many anonymizers including Tor.
The former risk can be mitigated by configuring a static secure DNS, e.g.
OpenDNS, and forcing its usage even if you're roaming with your laptop.
Untrusted proxies or connectivity providers are harder to tame, because a man-in-the-middle could inject arbitrary content in any non-secure (non-HTTPS) page.
In order to mitigate these issues, NoScript can be configured to honor your whitelist only if the current page is served through HTTPS, and therefore cannot be spoofed.
Additionally, NoScript can help you forcing your most sensitive sites to always use HTTPS, and
mitigating cookie hijacking.

6.2

Q:
How can I tell NoScript to allow only the sites of my whitelist which are served through HTTPS?
A:
Open NoScript Options|Advanced|HTTPS|Behavior, click under Forbid active web content unless it comes from a secure (HTTPS) connection
and choose one among:

Never - every site matching your whitelist gets allowed to run active content.

When using a proxy (recommended with Tor) - only whitelisted sites which are being served through HTTPS are allowed when coming through a proxy.
This way, even if an evil node in your proxy chain manages to spoof a site in your whitelist, it won't be allowed to run active content anyway.

Always - no page loaded by a plain HTTP or FTP connection is allowed.

6.3

Q: Can NoScript force some sites to always use HTTPS?
A:
Yes, just open NoScript Options|Advanced|HTTPS|Behavior, entering the sites you want to force in the topmost box,
and those you want to always leave alone in the bottom one.
You can use space-separated simple strings, which will be matched as "starts with...", glob patterns like *.noscript.net and full-fledged regular expressions.
If, for instance, you want HTTPS to be forced on every Google application excluding Search and iGoogle, you can put

6.4

Q: What can NoScript do against HTTPS cookie hijacking?
A:
HTTPS cookie hijacking happens when a site sets sensitive cookies (e.g. those identifying authenticated sessions) over HTTPS connections but "forgets"
to flag them as "Secure". This means that subsequent unencrypted (non-HTTPS) requests for the same site will leak the session cookies away,
even if you logged in securely.
NoScript provides means to mitigate this issue, configurable in NoScript Options|Advanced|HTTPS|Cookies.
If Enable Automatic Secure Cookies Management is checked,
NoScript will try to "patch" insecure cookies set by HTTPS sites on the fly:

If the site matches the "Ignore unsafe cookies..." pattern list, NoScript lets
its cookies pass through untouched

If the site matches the "Force encryption for all the cookies..." pattern list, NoScript appends a
";Secure" flag to every non-secure cookie set by this response

Otherwise, NoScript just logs unsafe cookies BUT if no secure cookie
is set in a HTTPS transaction setting other (unsafe) cookies, NoScript patches all these cookies with ";Secure" like in #2.
However, if a navigation from an encrypted to a non-encrypted part of the same site (i.e. sharing the same cookies)
happens in the same tab, NoScript removes its ";Secure" patch to
ensure compatibility. When it happens, this event is logged to the Error Console, along with a recommendation
to try forcing HTTPS by listing this site in the HTTPS|Behavior|Force section.

6.5

Q:
Since I've got Automatic Secure Cookie Management enabled I cannot login on some sites. What's happening?
A:
Some web sites depend on very complicated domain interrelations and, while they handle sign-on on a certain domain through a secure HTTPS channel,
they need to propagate authentication across multiple domains which do not support HTTPS.
NoScript tries its best to gracefully degrade in these situation which simply cannot be protected,
but some sites are just too complex not to break and login fails.
In this case, you've got two options:

If you're in a hurry, disable Automatic Secure Cookie Management, clear your cookies
(at least those for the site you're trying to enter) from Firefox's Options|Privacy|Cookies and retry logging in. It should just work.

open NoScript Options|Advanced|HTTPS|Cookies and add "*.somewebsite.com" (without the quotes) to the Ignore unsafe cookies... list;

Close NoScript Options with "OK", clear your cookies (at least those for somewebsite.com) from Firefox's Options|Privacy|Cookies and try to log in.

If, for instance, you can't login on www.ebay.com, the problem can be fixed adding *.ebay.com to NoScript Options|Advanced|HTTPS|Cookies|Ignore unsafe cookies...
and possibly resetting your cookies. If the problem happens on http://twitter.com (notice there's no "www." there),
you'll need to put .twitter.com (note the leading ".") to match both the top domain and the subdomains.

Whatever solution you choose, I'd appreciate you to send me any [NoScript HTTPS] line you may find in Tools|Web Developer|Browser Console
(possibly anonymizing authentication tokens) for analysis, so I can better tweak this very new feature.

7 - ClearClick and Clickjacking

7.1

Q:
What is Clickjacking?
A:
The word "Clickjacking" has been coined by
Robert "RSnake" Hansen and
Jeremiah Grossman,
two security researchers (and, incidentally, NoScript users) which back in September 2008 had been prompted by Adobe to withdraw
a speech about this matter because it revealed a critical exploitable flaw in the Flash player.
The concept itself is not new, though, even if there was no previous systematic research.
In facts, with "Clickjacking" we designate a class of attacks (also known as "UI Redressing") which consist in hiding
or disguising an user interface element from a site you trust (e.g. the "Send" button of your webmail site or a pre-configured "Donate" Paypal button)
in a way which leads you to click it without knowledge of what you're exactly doing.
In the impressive proof of concept by RSnake and Jeremiah, you clicked anywhere in their apparently innocuous page, believing you were doing nothing dangerous,
but in reality you were activating your microphone and/or your webcam for Flash access, allowing the remote attacker to spy on you instantaneously.
More in general, an attacker can frame a portion of a certain web page you trust inside a different page under his control,
decontextualizing it or making it transparent: this way he can easily trick you into interacting with it,
and you end to perform a financial transaction or allow him special permissions, without remotely suspecting that something evil is going on.
If JavaScript is allowed on the malicious site, this becomes much easier because the invisible target page can be automatically positioned exactly
under your mouse pointer, so anywhere you clicks the evildoer wins.
However this attack can work even without JavaScript being allowed:
the attacker just needs to trick you into clicking on a seemingly innocuous link or button.
Every web browser is affected, because this attack doesn't rely on any vulnerability or bug which might be fixed overnight:
instead, it exploits very basic and standard web features which are implemented everywhere and are unlikely to be removed any time soon.

7.2

Q:
How can I protect myself from Clickjacking / UI Redressing attacks?
A:
If you're not an user of Mozilla Firefox or of another recent Gecko-based web browser,
your pretty much out of luck: you would need to disable plugins and IFrames, which is always impractical and sometimes impossible,
since most browsers have no mean to do it selectively.
Protecting yourself if you're not a Firefox user
is a real pain and never 100% effective.
On the other hand,
if you use Firefox you can install the free and open source NoScript extension (yes, this one), which provides the only viable and safe protection available today:
the ClearClick technology.

7.3

Q:
How does NoScript protect me from Clickjacking / UI-redressing attacks?
A:
Default protections that NoScript has provided for a long time, i.e. JavaScript and plugin blocking can prevent most clickjacking attacks.
In older version, though, to be 100% protected against Clickjacking you needed to enable the Forbid <IFRAME> and possibly
Apply these restrictions to trusted sites as well NoScript options.
Fortunately, since version 1.8.2, NoScript provides a new default kind of protection called
ClearClick, which defeats clickjackingno matter if you block frames or not. Even better, ClearClick can protect you from Clickjacking / UI-redressing attack independently from JavaScript and plugins blocking:
you can even Allow scripts globally (which is not recommended anyway), and your ClearClick still works.

7.4

Q:
What is ClearClick and how does it protect me from Clickjacking?
A: ClearClick is a NoScript specific anti-Clickjacking protection module developed during the September 2008 "Clickjacking panic".
It received testing and feedback from many involved security researches such as RSnake and Jeremiah Grossman (the fathers of the term "Clickjacking"),
Eduardo "Sirdarckcat" Vela and others, and now it's enabled by default, protecting NoScript users from Clickjacking everywhere:
it even remains active if you switch NoScript in the less safe Allow scripts globally mode.
How does it work?
Clickjacking hides or displaces or partially covers something you wouldn't want to click, if you could see it in its original context.
ClearClick does the opposite: whenever you click a plugin object or a framed page, it takes a screenshot of it alone and opaque (i.e. an image of it with no transparencies and no overlaying objects),
then compares it with a screenshot of the parent page as you can see it.
If the two images differ, a clickjacking attack is probably happening and NoScript raises a "ClearClick warning", showing you the contextualized and "clear"
object you were about to click, so you can evaluate by yourself if that was really something you wanted to do.
Of course there are many subtle technical details involved, but the basic concept is just simple like that.

7.5

Q:
I heard disabling JavaScript may prevent anti-Clickjacking protections deployed from some sites from working.
Does NoScript interfere with server-side anti-Clickjacking countermeasures like "frame busting/killer/break"?
A:
Disabling JavaScript using your browser built-in settings (or the IE's <IFRAME SECURITY="restricted"> feature)
actually disrupts any JavaScript-based anti-Clickjacking protection the target site may have deployed.
The good news is that this limitation does not apply if you use NoScript, thanks to
Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a
“frame busting” script, the intention of the page author is honored by NoScript,
i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference.

8 - ABE

8.1

Q:
What is ABE?
A: ABE stands for "Application Boundaries Enforcer" and it's a technology against
CSRF and internet-to-intranet attacks.

8.2

Q:
Why am I suddenly getting lots of ABE notification on most of the sites I visit?
A:
You've probably a misconfigured hosts file.
Please check this article for a fix.
Another possible reason is that a specific application of yours is requiring access to a local web server. See the following FAQs for specific work-around procedures.

8.3

Q:
Google Desktop's / Google Toolbar's integration of local search results into Google search queries doesn't work with ABE enabled. What can I do?
A:
Open NoScript Options|Advanced|ABE, select the SYSTEM ruleset, and insert the following rule in the beginning of the text box:

8.5

Q:
Do I really need to disable ABE in order to use MLB.tv?
A:
No you don't, no matter what their FAQ says.
Open NoScript Options|Advanced|ABE and check Enable ABE, if you previously unchecked it.
Then select the SYSTEM ruleset, and insert the following rule in the beginning of the text box:

8.6

Q:
ABE seems to be preventing the F5 Network Access Plugin VPN from working. What can I do?
A:
Open NoScript Options|Advanced|ABE, select the SYSTEM ruleset, and insert the following rule in the beginning of the text box:

# F5 VPN exception
Site http://127.0.0.1:44444
Accept

8.7

Q:
I've got ABE and/or XSS warnings while using Eye-Fi. What can I do?
A:
Open NoScript Options|Advanced|ABE, select the SYSTEM ruleset, and insert the following rule in the beginning of the text box:

You may also need to add the following exception in NoScript Options|Advanced|XSS:

^http://127\.0\.0\.1:\d{3,}[^<"']*$

8.8

Q:
Veoh player doesn't work. What can I do?
A:
Open NoScript Options|Advanced|ABE, select the SYSTEM ruleset, and insert the following rule in the beginning of the text box:

# Veoh player exception
Site 127.0.0.1
Accept from *.veoh.com

8.9

Q:
The Octoshape media plugin does not work (on www.mlgpro.com, for instance). What can I do?
A:
Open NoScript Options|Advanced|ABE, select the SYSTEM ruleset, and insert the following rule in the beginning of the text box:

# Octoshape plugin exception
Site 127.0.0.1:60000
Accept

8.10

Q:
Can I use ABE to fine-tune NoScript's permissions?
A:
While ABE's main purpose is providing anti-CSRF protection, you can certainly
use it to conditionally block certain HTTP requests depending on their origin and destination URLs,
in order to add more granularity to NoScript's traditional domain-based whitelist.
For instance, you may want to allow scripts from google-analytics.com to be executed on www.friend.com and www.friend2.com but fail on www.foe.com and any other web site.
You can do it by opening NoScript Options|Advanced|ABE, selecting your USER ruleset, and add the following rule in the text box:

Notice that since ABE's rule work independently from NoScript's permissions, you need to "Allow google-analytics.com" in NoScript's menu for the above to work.
Notice also that, independently from ABE, even if a certain script source is whitelisted in NoScript
it won't run as a 3rd party script on pages whose origin is not whitelisted itself.

You can also use finer grained Deny INCLUSION rules which allow some web sites (e.g. Facebook)
to work and be linked by other web sites, but not to embed iframes, plugins, and scripts (or other kind of inclusions, if you wish) in 3rd party web pages:

8.13

Q:
ABE is preventing my bank web site from accessing the "Warsaw" authentication agent. What should I do?
A:
Open NoScript Options|Advanced|ABE, select the SYSTEM ruleset, and insert the following rule in the beginning of the text box: